"The devil is in the details" is often said when a hidden element threatens a plan’s overall feasibility. In the context of Europe’s PSD2 Secure Customer Authentication (SCA) requirements, the devil is in 3D Secure metrics.
With PSD2 enforcement already underway across many European markets, eCommerce merchants are now sending their European transactions to 3DS. Only a few, however, are systematically monitoring their performance on those 3DS-enabled transactions.
In this article, we will share the 3DS conversion metrics eCommerce payment experts should track to ensure optimized PSD2 performance. To help you quickly verify that your 3DS monitoring plan is robust, we developed the following diagram:
1. Track volume sent to 3DS, out of entire in-scope volume
Looking at the ratio of 3DS transactions to your entire in-scope transaction volume (leaving aside the ‘straight to authorization’ and any out-of-scope volume), you should pay attention to three preliminary filters to consistently and correctly reflect your PSD2 performance:
- Separately track your conversions per 3DS version – while seemingly counterintuitive, in the months before the PSD2 deadline, transactions sent via 3DS 2.x sometimes experienced higher challenge rates than 3DS1. Inconsistency in some data fields caused issuers’ fraud checks to falsely identify these transactions as a higher fraud risk, resulting in some merchants reverting to using the older 3DS1 version. If you are using more than one version of 3DS (e.g., both 3DS1 and 3DS2.1), you should split your monitoring plan accordingly.
- Separately track app-based and browser-based 3DS authentication flows – Microsoft SCA scorecard, an independent initiative run by the tech giant for the last few months to track SCA performance across the EEA, clearly shows a massive difference in performance between app-based and browser-based 3DS authentication flows. In its January scorecard, Microsoft shared that the performance inferiority of app-based authentication could be due to 3DS software development kit (SDK) errors, either because the merchant’s 3DS SDK is experiencing problems, or because the issuer’s access control server (ACS) is. As the saying goes: you can’t manage what you don’t measure. Before fixing any integration bugs, you must have a firm understanding of your app and browser authentication flows performance.
- Individual market and issuer-level tracking – although the official January 1, 2021 SCA enforcement deadline has passed, requirements and enforcement schedules vary across markets, making the geographical component of PSD2 even more acute. Fact is, tracking by market level isn’t enough; ideally, you should be tracking your performance on an Issuer/BIN level. This is because different national regulatory policies, the individual issuer risk appetite, and the level of PSD2 readiness might play a crucial role in your performance.
2. SCA challenge rate
As a subset of the volume of transactions sent to 3DS, this metric tracks the rate at which issuers ‘step-up’ your authentication requests and introduce the notorious SCA challenge to your customers.
Preliminary industry discussions had highlighted the importance of tracking authentication methods as part of your overall 3DS monitoring plan. Cultural, social, and legal attitudes towards specific authentication measures such as biometric features vary from market to market and may hinder the effectiveness of these measures (e.g., the perception of a fingerprint or face ID as an intrusive authentication method in some European markets).
The problem is that there’s no way of knowing which authentication method was used by the issuer, as this data is not part of the response protocol to the authentication request. Therefore, although it has the potential to impact conversion rates, currently you cannot track the various authentication methods and measure their performance in a systematic way.
3. Abandonment following an SCA challenge
What is the rate at which customers abandon checkout when challenged? This is one of the key metrics that can uncover the impact of the new regulation on your business. In a PSD2 context, cart abandonment following an introduction of an SCA challenge can happen for many reasons:
- Poor customer experience – mainly when using 3DS1, where the configuration does not support adequate customer experience on mobile devices (e.g., the authentication pop-up window appears off-screen), confusing customers and hindering their ability to provide the required authentication input.
- Latency – the authentication flow slows down the purchase journey, causing frustration and confusion that can lead to cart abandonment. Testing carried out to date by European merchants and CMSPI showed that even successful authentications can take upwards of 60 seconds, and in some cases average over 2 minutes. This presents a significant risk to sales that will impact retailers of all types and sizes.
- Lack of trust or education – customers who are not used to SCA can get confused by the request for additional personal details or mistake the authentication process for a fraud attempt.
Tracking this will allow you to determine if your customers require additional support and education on SCA enforcement. Perhaps new operational flows may help you reclaim those abandoned processes. You might also reconsider your exemption strategy as a means to avoid the negative impact of the SCA challenge.
4. Failed authentication
As a subset of the SCA challenge transaction volume, this metric tracks the rate at which the issuer responds to the authentication request with a declined response code. In this scenario, the failed authentication will end up as a lost transaction, unless you have a decline recovery solution in place — such as Riskified’s PSD2 Optimize, which enables merchants to reclaim good orders that failed SCA.
This simple metric may seem like a black box, but investigating the reasons behind failed authentications might help flesh out integration issues or encourage you to facilitate a richer exchange of data with issuers, with the aim of increasing the frictionless authentication rates.
5. Successfully authenticated
As a subset of the SCA challenge transaction volume, this metric tracks the rate at which the issuer approves the challenge requests.
6. Frictionless authentication
As a subset of the volume sent to 3DS, this metric includes two separate scenarios:
- The rate at which transactions were successfully authenticated by the issuer’s ACS without introducing any challenge (referred to as a “Frictionless Authentication”). By relying on their predefined set of risk parameters to analyze a transactions’ risk level, issuers can enable frictionless authentication, exempting the transactions from actively challenging the cardholder. This is known as a risk-based authentication (RBA) approach, and in a PSD2 context, it could be used by issuers to apply issuer-initiated exemptions to SCA (e.g., low risk, low-value, trusted beneficiary exemption, etc.), even without an exemption request from the acquirer.
- The rate at which the card scheme’s Directory Server (DS) stands-in for the ACS and approves authentication requests as attempts (referred to as a stand-in authentication). To tackle the lack of issuers’ readiness for 3DS 2.x implementation, card schemes like Visa and Mastercard have auto-enrolled issuers for stand-in processing. The stand-in process is limited to a low transaction value of up to €30 across Europe (and will be lowered in the UK on September 14, 2021). Additionally, authorization approval rates differ significantly between issuer authentication and authentication stand-in. This will make any prediction of the future conversion rates impossible.
7. The rate at which acquirer-initiated exemptions were requested
By now, forward-looking merchants have already planned for a robust and holistic exemption strategy, as the means to minimize SCA friction and maximize conversions. Testing and monitoring your exemption requests are crucial to ensure your infrastructure is ready to support the relevant exemption flows.
8. Exemption requests declined by issuer
In this scenario, the issuer decided not to honor the exemption request but also not to apply the SCA challenge (although the transaction was sent via the 3DS rails), and eventually responded with a decline decision to the authentication request.
The alternative scenario is that the issuer will decide not to honor the exemption request, but to apply the SCA challenge. Although this scenario will be tracked under the SCA challenge category, you should address this specific scenario as well should you choose to systematically track your exemption conversion rates.
9. The rate of exemptions honored out of all acquirer-initiated exemptions
Having a trust-based relationship with your banking partners can help promote the likelihood of exemption requests being honored and authorized. For this to happen, you need to monitor your exemption approval rates in conjunction with your proven fraud rates, and make sure your fraud rates are kept as low as possible on an ongoing basis.
Whether you’re looking to increase your revenue, delight your customers, or secure high bank authorization rates for the long term, effective 3DS conversion rates are key. But to really succeed, you need to focus on the right numbers.
By evaluating metrics like challenge success rates, abandonment rates, and frictionless authentication rates, merchants can adequately assess every step of their payment flows and prioritize the resources and actions required to optimize their PSD2 performance.
Riskified has developed a comprehensive suite of PSD2 solutions that minimize friction and maximize conversions, while taking a proactive approach to protecting your revenue. To hear more about how we can safely guide you through the turbulent PSD2 landscape, contact us at email@example.com